Privacy is something we seem to hear more and more about as we get less and less of it. Running a business has always involved privacy issues, because companies have always had some degree of personal information about their customers and their employees. Even in the “old days,” when people were more self-sufficient and paid cash for the goods that they did buy, those merchants still know what they bought, when they bought it, and whether they had to count out their last pennies to pay or flashed a big bankroll.
In today’s digital world, however, companies not only know but collect and keep far more personal data. You probably have much more personal data stored on your network than you might first think.
Types of personal data you collect
As an MSP, you deal primarily with other businesses – but you most likely have records that include, at the very least, financial information that you need in order to collect payment from your customers. If your clients are small “mom and pop shops” or sole proprietorships, you may have their personal credit card or bank account numbers and other more personal data that, if exposed, could be misused. You probably have their email addresses, which can be targeted by spammers.
And of course, you have a wealth of personal information about each of your employees – and it’s probably stored on your computers. You have their home addresses and telephone numbers, perhaps their personal email addresses. You have their social security numbers, which represent the “keys to the kingdom” for identity thieves. You also have personnel records that might (depending on your employment process) include such confidential information as the results of drug/alcohol tests or psychological and personality evaluations. If you provide health insurance, you may also have employee medical records.
Other data that may need privacy protection includes video footage from surveillance cameras that you have deployed throughout your facility. Depending on your company’s security level and your management philosophy, you might also use key loggers or screen capture software to record employees’ activities when using company computers and you most likely archive their email messages, including any use of company email accounts for personal purposes. You may also keep firewall logs that record users’ web history and surfing habits.
What are your responsibilities?
When you collect and store personal data about someone, whether it’s an individual customer, a business or someone who works for you, you incur a responsibility to use that data responsibly and to keep it out of the hands of other, unauthorized people or organizations. In many cases, this is not only a moral and ethical obligation but a legal one, as well. But what exactly does that mean in practical terms? There are really two broad elements involved:
- Informing those whose personal information you collect about what information of theirs you have and what you use it for.
- Keeping stored personal information secure.
You should also inform employees about information you collect about them, especially surveillance information. This is generally done through your workplace and personnel policies. With customers, it’s usually sufficient to mail them a copy of the privacy statement and it doesn’t have to be sent certified or otherwise in a way that proves they received it. With employees, you should go further and have them sign off that they received, read and understand the policies, to avoid misunderstandings and possible future lawsuits. Some countries have laws that require employers to notify employees in writing of workplace surveillance (for example, the Workplace Privacy Act of 2011 in Australia). In the European Union, employers are required to get the consent of employees before monitoring their phone calls and Internet activity.
There are special rules that apply to certain types of data. For example, in the U.S. laws such as HIPAA, the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA) impose specific restrictions.
Your MSP may be a small company, but it’s subject to many of the same privacy concerns and rules and regulations as a big corporation. When personal information comes your way – whether because you specifically requested it or as a side effect of your company’s dealings with others – the data itself must remain private, but what you do with it is not a private matter. This is one of those areas that has become so complex that it’s a good idea to consult an attorney to help you map out a privacy strategy.